Advanced Microsoft 365 Phishing Attacks Powered by Axios Abuse and Salty 2FA Kits

ByAdmin

Threat actors are increasingly exploiting HTTP client tools like Axios in conjunction with Microsoft’s Direct Send feature to create a “highly efficient attack pipeline” in recent phishing campaigns, as reported by ReliaQuest. Axios user agent activity surged by 241% from June to August 2025, significantly outpacing the 85% growth of all other flagged user agents combined. According to the report shared with The Hacker News, Axios accounted for 24.44% of all activity among 32 flagged user agents during this period. The abuse of Axios was previously highlighted by Proofpoint in January 2025, which detailed campaigns using HTTP clients to send requests and receive responses from web servers to conduct account takeover (ATO) attacks on Microsoft 365 environments. ReliaQuest noted that there is no evidence linking these activities, but the tool’s versatility suggests it is being adopted by various threat actors, regardless of their sophistication or motivation.

Phishing campaigns have also been observed increasingly utilising the legitimate Microsoft 365 (M365) feature known as Direct Send to spoof trusted users and distribute malicious email messages. By amplifying Axios abuse through Microsoft Direct Send, attackers aim to weaponise a trusted delivery method, ensuring their messages bypass secure gateways and reach users’ inboxes. Recent campaigns that combined Axios with Direct Send achieved a remarkable 70% success rate, surpassing non-Axios campaigns with “unparalleled efficiency.” The campaign identified by ReliaQuest began in July 2025, initially targeting executives and managers in finance, healthcare, and manufacturing sectors, before expanding to all users. This approach is considered a game changer for attackers, as it not only bypasses traditional security measures with improved precision but also enables phishing operations at an unprecedented scale.

In these attacks, Axios is employed to intercept, modify, and replay HTTP requests, allowing attackers to capture session tokens or multi-factor authentication (MFA) codes in real-time. They can also exploit SAS tokens in Azure authentication workflows to gain access to sensitive resources. ReliaQuest stated that attackers leverage this blind spot to bypass MFA, hijack session tokens, and automate phishing workflows. The customisability of Axios allows attackers to tailor their activities to closely mimic legitimate workflows. The phishing emails often use compensation-themed lures to entice recipients into opening PDF documents containing malicious QR codes. When scanned, these QR codes direct users to counterfeit login pages that imitate Microsoft Outlook, facilitating credential theft. 

Categories: Phishing Campaigns, Exploitation of Legitimate Tools, Bypassing Security Measures 

Tags: Axios, Direct Send, Phishing, Cybersecurity, Account Takeover, Microsoft 365, Session Tokens, Multi-Factor Authentication, Credential Theft, Attack Pipeline 

Leave a Reply

Your email address will not be published. Required fields are marked *